Docs
Other Bits
Privacy & Security

Privacy And Security

Overview

Mixpanel believes in respecting and protecting people’s fundamental online privacy and data rights. Which is why we've built Mixpanel's analysis tools in compliance with industry best-practices and global data regulations like the GDPR and the CCPA.

Visit our Privacy Hub (opens in a new tab) to see how we comply with various privacy guidelines.

Storing Your Data in the European Union

By default Mixpanel stores user data on its US Servers via the Google Cloud Platform. However, Mixpanel also provides you with the option to process and store your customers' personal data in Europe via our EU Data Residency Program (opens in a new tab). You can enable this by selecting the "EU Data Residency" option when creating a new project, and using our EU subdomain during all API calls.

APIStandard ServerEU Residency Server
Ingestion API (opens in a new tab)api.mixpanel.comapi-eu.mixpanel.com
Query API (opens in a new tab)mixpanel.com/apieu.mixpanel.com/api
Raw Data Export API (opens in a new tab)data.mixpanel.com/api/2.0/exportdata-eu.mixpanel.com/api/2.0/export
Data Pipelines API (opens in a new tab)data.mixpanel.com/api/2.0/exportdata-eu.mixpanel.com/api/2.0/export
Lexicon Schemas API (opens in a new tab)mixpanel.com/api/app/projectseu.mixpanel.com/api/app/projects
Connectors API (opens in a new tab)mixpanel.com/api/app/projectseu.mixpanel.com/api/app/projects

Using Our SDKs

Next you'll need to set the server location to EU when initializing the Mixpanel library. You can find instructions for the required config settings for each SDK below:

Querying Mixpanel Data in the EU

Once you've set the server location to EU, please notify Mixpanel so we can set your project's cluster to mixpanel-prod-eu.

To do so, reach out to your Relationship Manager, Customer Success Manager, or Account Executive and they can help coordinate this change. Once the setup is complete, you can log into your account at eu.mixpanel.com and query data in any Mixpanel report.

Log in via SSO

If you want the IdP initiated flow to direct to eu.mixpanel.com (opens in a new tab), prepend "eu." to your postback URL. For example, mixpanel.com/security/login/1 (opens in a new tab) would need to be changed to eu.mixpanel.com/security/login/1 (opens in a new tab).

Manage Personal Data

Mixpanel deletion and retrieval APIs are in place to help Mixpanel implementations meet the requirements outlined by the General Data Protection Regulation (GDPR) legislation.

📘GDPR Request Rate Limits You can batch up to 2000 distinct IDs per deletion request and up to 2000 for a retrieval request. Request rates are limited for GDPR API requests.

User Opt-Out

While the following API can be used to delete or retrieve personal data as outlined by the GPDR, it is important to also opt users out of subsequent tracking. If tracking using a client-side Mixpanel library, you can opt users out of tracking using Mixpanel's opt-out methods. These are available in the following client-side libraries:

See Mixpanel’s Managing Personal Information guide for more information on best practices when handling personal information in Mixpanel.

Authentication

Authentication occurs via a user-specific OAuth token with a scope that only includes the following deletion and retrieval APIs. Users can retrieve this token from their Account Settings (opens in a new tab) by selecting their initials in the top right of Mixpanel and selecting Profile & Preferences, and then the Data & Privacy tab. The OAuth token has a one year expiry. It should be passed in the Authentication header. Users are eligible to generate an OAuth token if they are the project owner, or if they are a project owner or admin of a project that supports team member roles.

GDPR and CCPA API (v3)

The following retrieval and deletion API calls are updated for version 3 and are made for GDPR and CCPA compliance.

Create Retrieval

Request Type: POST Description: Creates a data retrieval job. Endpoint: https://mixpanel.com/api/app/data-retrievals/v3.0/?token=<your_project_token> Parameters:

ParameterParameter TypeData TypeDescription
TokenURL. Passed in request URL.Query String ParameterYour Mixpanel project token.
distinct_idsBody. Passed in JSON blob format.Array of stringsA list of distinct IDs associated with the users whose data you would like to export. You can add up to 2000 distinct IDs.
compliance_typeBody. Passed in JSON blob format.StringSelect CCPA or GDPR. Default is GDPR.
disclosure_typeBody. Passed in JSON blob format.StringOnly required if compliance_type = CCPA. Can be Data, Categories, or Sources. Default is Data.

Authorization:

Authorization TypePass AsDescription
BearerBody. Passed in JSON blob format.Your OAuth token for GDPR APIs.

Example Request:

curl "https://mixpanel.com/api/app/data-retrievals/v3.0/?token=591b3354bb2bdd96f72f23bf56911673"
-H "Authorization: Bearer vZcErNw8JCq42BZUJyWoZmDWCKBxXc"
Rate Limit

We place a rate limit in place to ensure the integrity of our system as well as prevent a single project from monopolizing the avaialble resources for other projects. Getting a 429 response code from our GDPR API means that you have reached our rate-limit. We currently have a rate-limit of 1 request per second for GDPR APIs. We also limit maximum number of outstanding scans for a single project to be approximately 5 years.

GDPR data retrieval process works by dividing the job of extracting the events by the granularity of day, getting the events belonging to each distinct_id in the request for each day going back to the first day for which we have events in Mixpanel. Since user activity can go back several years, this means that even a single data retrieval request might require scans of many hundred days.

In order to maximize the throughput of data retrievals, we recommend sending the maximum number of distinct-ids per request, now at 2000 distinct-ids, then retrying with exponential backoff. Depending on the amount of data that needs to be scanned, retrying for several hours might sometimes be necessary.

Example Return: {"status":"ok","results":[{"status":"PENDING", "disclosure_type":"DATA", "date_requested":"2020-03-09T22:28:55.078315", "tracking_id":"1583792934719392965", "project_id":1978118, "compliance_type":"ccpa", "destination_url":null, "requesting_user":"pat.davis@mixpanel.com", "distinct_id_count":1}]}

Check Status of Retrieval

Request Type: GET

Description: Checks the status of a data retrieval job.

Endpoint: https://mixpanel.com/api/app/data-retrievals/v3.0/<tracking_id>?token=<your_project_token>

Return Format: 200 OK { "results": { "status": oneOf [ "PENDING", "STAGING", "STARTED", "SUCCESS", "FAILURE", "REVOKED", "NOT_FOUND", "UNKNOWN", ], } }

Return Key:

NameTypeDescription
PENDINGStringTask ID returned from POST.
STAGINGStringThe staging process of the retrieval task has started. The task can still be canceled during staging.
STARTEDStringThe retrieval task has started, and cannot be canceled.
SUCCESSStringThe retrieval task is complete.
FAILUREStringThe retrieval task has failed. Check the original task input parameters and create a new task.
REVOKEDStringThe retrieval task has been canceled through a DELETE operation.
NOT_FOUNDStringThe retrieval task cannot be found.
UNKNOWNStringAn error occurred while locating the retrieval task.

Parameters:

ParameterParameter TypeTypeDescription
TokenURL. Passed in request URL.Query String ParameterYour Mixpanel project token.
Task IDURL. Passed in request URL.Query String ParameterThe tracking ID shown in the response.

Authorization:

Authorization TypePass AsDescription
BearerBody. Passed in JSON blob format.Your OAuth token for GDPR APIs.

Example Request: curl "https://mixpanel.com/api/app/data-retrievals/v3.0/1583958896131033662/?token=591b3354bb2bdd96f72f23bf56911673" -H "Authorization: Bearer vZcErNw8JCq42BZUJyWoZmDWCKBxXc"

Example Return: {"status": "ok", "results": {"status": "PENDING", "result": "", "distinct_ids": ["1"]}}

Create a Deletion Task

Request Type: POST

Description: Creates a task that specifies a list of users in a particular project to delete. This will schedule a deletion job that will delete all data, including events and user profile data, for the users specified by distinct_ids. This deletion job may be canceled until it reaches the STARTED stage. It may take up to 30 days to complete a deletion task in a customer’s Mixpanel database. Mixpanel may retain records of deletion tasks for legal compliance purposes or for a short time based on our legitimate interest in providing a service continuity.

Endpoint: https://mixpanel.com/api/app/data-deletions/v3.0/?token=<your_project_token>

Parameters:

ParameterParameter TypeTypeDescription
TokenURL. Passed in request URL.Query String ParameterYour Mixpanel project token.
distinct_idsBody. Passed in JSON blob format.Array of stringsA list of distinct IDs associated with the users whose data you would like to export. You can add up to 1999 distinct IDs.
compliance_typeBody. Passed in JSON blob format.StringSelect CCPA or GDPR. Default is GDPR.

Authorization:

Authorization TypePass AsDescription
BearerBody. Passed in JSON blob format.Your OAuth token for GDPR APIs.

Example Request: curl "https://mixpanel.com/api/app/data-deletions/v3.0/?token=591b3354bb2bdd96f72f23bf56911673" -H "Authorization: Bearer vZcErNw8JCq42BZUJyWoZmDWCKBxXc" -d '{"compliance_type":"CCPA", "distinct_ids":["1"]}'

Example Return: {"status":"ok","results":[{"status":"PENDING", "disclosure_type":"DATA", "date_requested":"2020-03-09T22:28:55.078315", "tracking_id":"1583792934719392965", "project_id":1978118, "compliance_type":"ccpa", "destination_url":null, "requesting_user":"pat.davis@mixpanel.com", "distinct_id_count":1}]}

Check Status of a Deletion Task

Request Type: GET

Description: Checks the status of an existing deletion task.

Endpoint: https://mixpanel.com/api/app/data-deletions/v3.0/<tracking_id>?token=<your_project_token>

Return Format: "results": { "status": //You will get one of the following returns oneOf [ "PENDING", "STAGING", "STARTED", "SUCCESS", "FAILURE", "REVOKED", "NOT_FOUND", "UNKNOWN", ], } }

Return Key:

NameTypeDescription
PENDINGStringTask ID returned from POST.
STAGINGStringThe staging process of the deletion task has started. The task can still be canceled during staging.
STARTEDStringThe deletion task has started, and cannot be canceled.
SUCCESSStringThe deletion task is complete.
FAILUREStringThe deletion task has failed. Check the original task input parameters and create a new task.
REVOKEDStringThe deletion task has been canceled through a DELETE operation.
NOT_FOUNDStringThe deletion task cannot be found.
UNKNOWNStringAn error occurred while locating the deletion task.

Parameters:

ParameterParameter TypeTypeDescription
TokenURL. Passed in request URL.Query String ParameterYour Mixpanel project token.
Task IDURL. Passed in request URL.Query String ParameterThe tracking ID shown in the response.

Authorization:

Authorization TypePass AsDescription
BearerBody. Passed in JSON blob format.Your OAuth token for GDPR APIs.

Example Request: curl "https://mixpanel.com/api/app/data-deletions/v3.0/35bd8477-f71f-4088-af55-c88a6fb4ad4b/?token=591b3354bb2bdd96f72f23bf56911674" -H "Authorization: Bearer vZcErNw8JCq42BZUJyWoZmDWCKBxXc"

Example Return: {"status": "ok", "results": {"status": "PENDING", "result": "", "distinct_ids": ["1"]}}

Cancel Deletion

Request Type: DELETE

Description: Cancels an existing deletion task. Deletion jobs can be canceled until the STARTED stage initiates.

Endpoint: https://mixpanel.com/api/app/data-deletions/v3.0/?token=<your_project_token>

Return Format: 204 NoContent or 405 MethodNotAllowed

Return Key:

NameTypeDescription
204 NoContentQuery String Parameter requiredYour Mixpanel project token.
405 MethodNotAllowedQuery String Parameter requiredTask ID returned from POST.

Parameters:

ParameterParameter TypeTypeDescription
TokenURL. Passed in request URL.Query String ParameterYour Mixpanel project token.
distinct_idsBody. Passed in JSON blob format.Array of stringsA list of distinct IDs associated with the users whose data you would like to export. You can add up to 1999 distinct IDs.

Authorization:

Authorization TypePass AsDescription
BearerBody. Passed in JSON blob format.Your OAuth token for GDPR APIs.

Example Request: curl "https://mixpanel.com/api/app/data-deletions/v3.0/?token=591b3354bb2bdd96f72f23bf56911673" -H "Authorization: Bearer vZcErNw8JCq42BZUJyWoZmDWCKBxXc" -d '{"distinct_ids":["1"]}'

Example Return: {"status": "ok", "results": {"task_id": "35bd8477-f71f-4088-af55-c88a6fb4ad4a"}}